Monthly Malware Statistics: March 2010

Malicious programs detected on users' computers

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

Position

Change in position

Name

Number of infected computers

1

0

Net-Worm.Win32.Kido.ir

332833

2

0

Virus.Win32.Sality.aa

211229

3

0

Net-Worm.Win32.Kido.ih

186685

4

0

Net-Worm.Win32.Kido.iq

181825

5

0

Worm.Win32.FlyStudio.cu

121027

6

0

Trojan-Downloader.Win32.VB.eql

68580

7

New

Trojan.Win32.AutoRun.abj

66331

8

1

Virus.Win32.Virut.ce

61003

9

1

Packed.Win32.Krap.l

55823

10

-2

Worm.Win32.AutoIt.tc

55065

11

4

Worm.Win32.Mabezat.b

49521

12

-5

Exploit.JS.Aurora.a

43776

13

New

Packed.Win32.Krap.as

40912

14

New

Trojan.Win32.AutoRun.aay

40754

15

3

Trojan-Dropper.Win32.Flystud.yo

40190

16

-4

Virus.Win32.Induc.a

38683

17

-4

not-a-virus:AdWare.Win32.RK.aw

38547

18

New

Trojan.Win32.AutoRun.abd

37037

19

-5

not-a-virus:AdWare.Win32.Boran.z

36996

20

0

not-a-virus:AdWare.Win32.FunWeb.q

34177

There was no major change in the first Top Twenty leader board in March.

Three variants to the Autorun Trojan are worthy of mention. As was the case a couple of months back, they are autorun.inf files that use removable devices to spread the notorious P2P-Worm, Win32.Palevo and Trojan-GameThief.Win32.Magania.

This month's rating once again has an entry displaying 'packed' characteristics, and this time it's called Packed.Win32.Krap.as and conceals a rogue antivirus program. Currently this is in thirteenth place. In recent months the cybercriminals have demonstrated a penchant for specially designed packers of executable files. New methods of packing and concealing the true function of popular malware are being developed all the time, which explains why new variants of families such as Krap appear in our Top Twenty virtually every month.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.

Position

Change in position

Name

Number of attempted downloads

1

0

Trojan-Downloader.JS.Gumblar.x

178965

2

New

Exploit.JS.CVE-2010-0806.i

148721

3

-1

Trojan.JS.Redirector.l

126277

4

2

Trojan-Clicker.JS.Iframe.ea

102226

5

4

Exploit.JS.Aurora.a

88196

6

4

Trojan.JS.Agent.aui

80654

7

-3

not-a-virus:AdWare.Win32.Boran.z

75911

8

New

Trojan.HTML.Fraud.aj

68809

9

New

Packed.Win32.Krap.as

64329

10

New

Exploit.JS.CVE-2010-0806.b

50763

11

New

Trojan.JS.FakeUpdate.ab

49412

12

New

Trojan.HTML.Fraud.aq

48927

13

3

Packed.Win32.Krap.ai

47601

14

Return

Trojan-Downloader.JS.Twetti.a

46858

15

New

Exploit.JS.Pdfka.bub

45762

16

New

Trojan-Downloader.JS.Iframe.byo

44848

17

New

Trojan.JS.FakeUpdate.aa

42352

18

Return

not-a-virus:AdWare.Win32.Shopper.l

41888

19

New

Trojan-Clicker.HTML.IFrame.fh

38266

20

New

Packed.Win32.Krap.ao

36123

As usual, when it comes to rating malicious programs on the Internet, there was plenty to discuss.

Let's start with the latest Internet Explorer vulnerability CVE-2010-0806. A rather detailed description of the problem led to the exploit for it becoming extremely widespread. Now only the laziest of cybercriminals haven't hopped on the bandwagon and two variants are already in our second Top Twenty – Exploit.JS.CVE-2010-0806.i (in second place) and Exploit.JS.CVE-2010-0806.b (in tenth place).

The latest Gumblar epidemic is still in full swing. As well as the older version of this script Trojan-Downloader, which shows up as Gumblar.x and occupies first place, a new updated version has appeared which is detected as HEUR:Trojan-Downloader.Script.Generic.

The Aurora.a exploit, which we wrote about last month, is still being used extensively by cybercriminals and has risen from ninth to fifth place in our rating.

The rather curious Twetti.a downloader, which we wrote about back in December, reared its none-too-pleasant head again in March, coming in at fourteenth place after a two-month hiatus. As was the case with Gumblar, it appears the black hats took some time-out and then started using this piece of malware to infect large numbers of websites again.

It's also no coincidence that Exploit.JS.Pdfka.bub finds itself in fifteenth place – this malicious PDF file is a component in drive-by attacks that use Twetti.a to get a foot in the door.

Our second rating also includes four new entries – Trojan.HTML.Fraud.aj, Trojan.JS.FakeUpdate.ab, Trojan.HTML.Fraud.aq and Trojan.JS.FakeUpdate.aa – that distribute fake antivirus solutions and ransomware.

Countries launching the most web-borne infections:

The overall picture remains pretty much unchanged: attacks on users are predominantly Internet-borne and make use of the vulnerabilities that regularly appear in some of the most popular software products. Fortunately, these vulnerabilities are quickly patched by the vendors, but still, too many users fail to install these patches in time. Malware is also increasingly taking advantage of user gullibility and naivety. The most common malware of this kind used by the cybercriminals in March included rogue antivirus solutions and ransomware.